<!doctype html>
<html>
<head>
    <!--Setting-->
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <meta name="renderer" content="webkit|ie-comp|ie-stand">
    <meta name="apple-mobile-web-app-capable"  content="yes">
    <meta name="apple-mobile-web-app-status-bar-style" content="black">
    <meta name="format-detection" content="telephone=no,email=no">
    
    
    <!--Simple SEO-->


<meta name="robots" content=all />
<meta name="google" content=all />
<meta name="googlebot" content=all />
<meta name="verify" content=all />
    <!--Title-->

<title>firewalld示例 | MIAbon&#39;s blog</title>

<link rel="alternate" href="/atom.xml" title="MIAbon&#39;s blog" type="application/atom+xml">


<link rel="icon" href="/favicon.ico">

    
<link rel="stylesheet" href="/css/base.css">
<link rel="stylesheet" href="/css/pages/post.css">
<link rel="stylesheet" href="//cdn.bootcss.com/font-awesome/4.7.0/css/font-awesome.min.css">
<link rel="stylesheet" href="/css/thirdParty/highlight/github.css">
<link rel="stylesheet" href="/.css">

    <!--script-->


<script src="http://cdn1.lncld.net/static/js/3.2.1/av-min.js"></script>
<script>
  var appId = "i7AHmC7NPbPtgS3YxT67dRIc-9Nh9j0Va";
  var appKey = "g6TKbY8O4TsCDMcemoC3STvQ";
  var region = "";
  AV.init({
    appId: appId,
    appKey: appKey,
    region: region
  });
</script>


<script async src="//dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>

<!--<script src="https://imsun.github.io/gitment/dist/gitment.browser.js"></script>-->


    
    
</head>

<body id="normal">
<!--[if lte IE 8]>
<style>
    html{ font-size: 1em }
</style>
<![endif]-->
<!--[if lte IE 9]>
<style>
    header{ top: 71px; position: absolute!important;}
    #container{padding-top: 151px!important;}
</style>
<div style="position:fixed;z-index:9999;left:0;top:0;width:100%;height:70px;background-color:#e0e0e0;color:#396CA5;border-bottom:1px solid #cecece;text-align:center;line-height:70px;white-space: nowrap;overflow: hidden;text-overflow: ellipsis">你使用的浏览器版本过低，为了你更好的阅读体验，请更新浏览器的版本或者使用其他现代浏览器，比如Chrome、Firefox、Safari等。</div>
<![endif]-->

<div id="wrap">
    <header  style="position: absolute;" >
    <div id="site-meta">
        <a href="/" id="logo">
            <h1 class="title">MIAbon&#39;s blog</h1>
        </a>
        
    </div>
    <ul id="nav">
        
            <li><a href="/"><i class="fa fa-home"></i>首页</a></li>
        
            <li><a href="/atom.xml"><i class="fa fa-rss"></i>RSS</a></li>
        
        <li id="search"><a href="javascript:void(0)"><i class="fa fa-search"></i>搜索</a></li>
    </ul>
</header>

    <div id="container">
        
<ul id="sidebar">
    
    
    
    
<li class="widget widget-normal category">
    <h3 class="fa fa-th widget-title">分类</h3>
    <ul class="category-list"><li class="category-list-item"><a class="category-list-link" href="/categories/ELK/"><i class="fa" aria-hidden="true">ELK</i></a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/Lvs/"><i class="fa" aria-hidden="true">Lvs</i></a><span class="category-list-count">2</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/admin/"><i class="fa" aria-hidden="true">admin</i></a><span class="category-list-count">5</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/ansible/"><i class="fa" aria-hidden="true">ansible</i></a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/aws/"><i class="fa" aria-hidden="true">aws</i></a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/docker/"><i class="fa" aria-hidden="true">docker</i></a><span class="category-list-count">7</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/drone/"><i class="fa" aria-hidden="true">drone</i></a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/kernel/"><i class="fa" aria-hidden="true">kernel</i></a><span class="category-list-count">2</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/kubernetes/"><i class="fa" aria-hidden="true">kubernetes</i></a><span class="category-list-count">2</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/kvm/"><i class="fa" aria-hidden="true">kvm</i></a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/mongodb/"><i class="fa" aria-hidden="true">mongodb</i></a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link current" href="/categories/python/"><i class="fa" aria-hidden="true">python</i></a><span class="category-list-count">9</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/share/"><i class="fa" aria-hidden="true">share</i></a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/web/"><i class="fa" aria-hidden="true">web</i></a><span class="category-list-count">12</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/zabbix/"><i class="fa" aria-hidden="true">zabbix</i></a><span class="category-list-count">3</span></li></ul>
</li>


    
    
<li class="widget widget-normal archive">
  <h3 class="fa fa-archive widget-title">归档</h3>
    <ul class="archive-list"><li class="archive-list-item"><a class="archive-list-link" href="/archives/2018/02/"><i class="fa" aria-hidden="true">二月 2018</i></a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2018/01/"><i class="fa" aria-hidden="true">一月 2018</i></a><span class="archive-list-count">8</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/12/"><i class="fa" aria-hidden="true">十二月 2017</i></a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/11/"><i class="fa" aria-hidden="true">十一月 2017</i></a><span class="archive-list-count">3</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/10/"><i class="fa" aria-hidden="true">十月 2017</i></a><span class="archive-list-count">4</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/09/"><i class="fa" aria-hidden="true">九月 2017</i></a><span class="archive-list-count">2</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/08/"><i class="fa" aria-hidden="true">八月 2017</i></a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/05/"><i class="fa" aria-hidden="true">五月 2017</i></a><span class="archive-list-count">4</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/04/"><i class="fa" aria-hidden="true">四月 2017</i></a><span class="archive-list-count">2</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/03/"><i class="fa" aria-hidden="true">三月 2017</i></a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/01/"><i class="fa" aria-hidden="true">一月 2017</i></a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2016/12/"><i class="fa" aria-hidden="true">十二月 2016</i></a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2016/11/"><i class="fa" aria-hidden="true">十一月 2016</i></a><span class="archive-list-count">3</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2016/10/"><i class="fa" aria-hidden="true">十月 2016</i></a><span class="archive-list-count">2</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2016/08/"><i class="fa" aria-hidden="true">八月 2016</i></a><span class="archive-list-count">2</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2016/05/"><i class="fa" aria-hidden="true">五月 2016</i></a><span class="archive-list-count">4</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2016/04/"><i class="fa" aria-hidden="true">四月 2016</i></a><span class="archive-list-count">8</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2015/05/"><i class="fa" aria-hidden="true">五月 2015</i></a><span class="archive-list-count">1</span></li></ul>
</li>


    
    
<li class="widget widget-normal tags">
  <h3 class="fa fa-tags widget-title">标签云</h3>
  <div class="tagcloud-content">
    
      <a href="/tags/drone/" style="font-size: 0.14rem; color: #69c">drone</a> <a href="/tags/linux/" style="font-size: 0.2rem; color: #0a407c">linux</a> <a href="/tags/kernel/" style="font-size: 0.16rem; color: #4f83b8">kernel</a> <a href="/tags/ELK/" style="font-size: 0.14rem; color: #69c">ELK</a> <a href="/tags/ansible/" style="font-size: 0.14rem; color: #69c">ansible</a> <a href="/tags/swarm/" style="font-size: 0.14rem; color: #69c">swarm</a> <a href="/tags/docker/" style="font-size: 0.18rem; color: #215690">docker</a> <a href="/tags/firewalld/" style="font-size: 0.14rem; color: #69c">firewalld</a> <a href="/tags/zabbix/" style="font-size: 0.16rem; color: #4f83b8">zabbix</a> <a href="/tags/aws/" style="font-size: 0.14rem; color: #69c">aws</a> <a href="/tags/web/" style="font-size: 0.16rem; color: #4f83b8">web</a> <a href="/tags/python/" style="font-size: 0.18rem; color: #215690">python</a> <a href="/tags/spider/" style="font-size: 0.17rem; color: #386da4">spider</a>
  </div>
</li>


    
    
<li class="widget widget-normal friends-link">
    <h3 class="fa fa-globe widget-title">友链</h3><br/>

    
        <a href="http://zhengwei666.wang" class="fa" target="_blank">zhengwei</a>

    
        <a href="https://you-deng.github.io" class="fa" target="_blank">dengyou</a>

    
        <a href="http://www.systemd.cn" class="fa" target="_blank">langyaoliang</a>

    
        <a href="http://www.chen-hao.com.cn/" class="fa" target="_blank">chenhao</a>

    
        <a href="http://www.yulongjun.com" class="fa" target="_blank">yulongjun</a>

    

</li>

    
</ul>


        <div id="main">
    <article id="post">
        <div id="post-header">

            <h1 id="firewalld示例">
                
                firewalld示例
                
            </h1>
            <div class="article-meta">
    
    
    <span class="categories-meta fa-wrap">
            <i class="fa fa-folder-open-o"></i>
        <span>admin</span>
    </span>
    
    
    <span class="fa-wrap">
         <i class="fa fa-tags"></i>
        <span class="tags-meta">
            
            linux
            
        </span>
    </span>
    
    
    <span class="fa-wrap">
        <i class="fa fa-clock-o"></i>
        <span class="date-meta ">2017/05/24</span>
    </span>
    
    
    <span class="fa-wrap">
            <i class="fa fa-thermometer-three-quarters"></i>
        <span class="hits hits-meta " data-leadcloud-title="firewalld示例"
              data-leadcloud-url="/2017/05/24/firewalld/"><i class="fa fa-spinner fa-spin"></i></span>
    </span>
    
    
</div>

            
            
        </div>
        
        <div id="post-body">
            <h1 id="1-启动服务"><a href="#1-启动服务" class="headerlink" title="1.启动服务"></a>1.启动服务</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">systemctl <span class="built_in">enable</span> firewalld</div><div class="line">systemctl start firewalld</div></pre></td></tr></table></figure>
<h1 id="2-检查防火墙状态"><a href="#2-检查防火墙状态" class="headerlink" title="2.检查防火墙状态"></a>2.检查防火墙状态</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --state</div><div class="line">systemctl status firewalld</div></pre></td></tr></table></figure>
<h1 id="3-区域管理"><a href="#3-区域管理" class="headerlink" title="3. 区域管理"></a>3. 区域管理</h1><h2 id="3-1网络区域简介"><a href="#3-1网络区域简介" class="headerlink" title="3.1网络区域简介"></a>3.1网络区域简介</h2><p>通过将网络划分成不同的区域（通常情况下称为 zones），制定出不同区域之间的访问控制策略来控制不同任程度区域间传送的数据流。例如互联网是不可信任的区域，而内部网络是高度信任的区域。以避免安全策略中禁止的一些通信。它有控制信息基本的任务在不同信任的区域。典型信任的区域包括互联网 ( 一个没有信任的区域 ) 和一个内部网络 ( 一个高信任的区域 )。最终目标是提供受控连通性在不同水平的信任区域通过安全政策的运行和连通性模型之间根据最少特权原则。例如：公共 WIFI 网络连接应该不信任，而家庭有线网络连接就应该完全信任。网络安全模型可以在安装、初次启动和首次建立网络连接时选择初始化。该模型描述了主机所联的整个网络环境的可信级别，并定义了新连接的处理方式。在 /etc/firewalld/ 的区域设定是一系列可以被快速执行到网络接口的预设定。有几种不同的初始化区域：<br><strong>drop（丢弃）</strong><br>任何接收的网络数据包都被丢弃，没有任何回复。仅能有发送出去的网络连接。<br><strong>block（限制）</strong><br>任何接收的网络连接都被 IPv4 的 icmp-host-prohibited 信息和 IPv6 的 icmp6-adm-prohibited 信息所拒绝。<br><strong>public（公共）</strong><br>在公共区域内使用，不能相信网络内的其他计算机不会对您的计算机造成危害，只能接收经过选取的连接。<br><strong> external（外部） </strong><br>特别是为路由器启用了伪装功能的外部网。您不能信任来自网络的其他计算，不能相信它们不会对您的计算机造成危害，只能接收经过选择的连接。<br><strong> dmz（非军事区） </strong><br>用于您的非军事区内的电脑，此区域内可公开访问，可以有限地进入您的内部网络，仅仅接收经过选择的连接。<br><strong> work（工作） </strong><br>用于工作区。您可以基本相信网络内的其他电脑不会危害您的电脑。仅仅接收经过选择的连接。<br><strong> home（家庭） </strong><br>用于家庭网络。您可以基本信任网络内的其他计算机不会危害您的计算机。仅仅接收经过选择的连接。<br><strong> internal（内部） </strong><br>用于内部网络。您可以基本上信任网络内的其他计算机不会威胁您的计算机。仅仅接受经过选择的连接。<br><strong> trusted（信任） </strong><br>可接受所有的网络连接。<br><strong>说明：firewalld 的缺省区域是 public。</strong></p>
<h2 id="3-2显示设置查看区域"><a href="#3-2显示设置查看区域" class="headerlink" title="3.2显示设置查看区域"></a>3.2显示设置查看区域</h2><h3 id="3-2-1-显示支持的区域列表"><a href="#3-2-1-显示支持的区域列表" class="headerlink" title="3.2.1 显示支持的区域列表"></a>3.2.1 显示支持的区域列表</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --get-zones</div><div class="line">block drop work internal external home dmz public trusted</div></pre></td></tr></table></figure>
<h3 id="3-2-2设置为家庭区域"><a href="#3-2-2设置为家庭区域" class="headerlink" title="3.2.2设置为家庭区域"></a>3.2.2设置为家庭区域</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --<span class="built_in">set</span>-default-zone=home</div></pre></td></tr></table></figure>
<h3 id="3-2-3查看当前的区域"><a href="#3-2-3查看当前的区域" class="headerlink" title="3.2.3查看当前的区域"></a>3.2.3查看当前的区域</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --get-active-zones</div></pre></td></tr></table></figure>
<h3 id="3-2-4设置当前的区域的接口"><a href="#3-2-4设置当前的区域的接口" class="headerlink" title="3.2.4设置当前的区域的接口"></a>3.2.4设置当前的区域的接口</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --get-zone-of-interface=enp03s</div></pre></td></tr></table></figure>
<h3 id="3-2-5显示所有公共区域（public）"><a href="#3-2-5显示所有公共区域（public）" class="headerlink" title="3.2.5显示所有公共区域（public）"></a>3.2.5显示所有公共区域（public）</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --zone=public --list-all</div></pre></td></tr></table></figure>
<h3 id="3-2-6临时修改网络接口-enp0s3-为-内部区域（internal）"><a href="#3-2-6临时修改网络接口-enp0s3-为-内部区域（internal）" class="headerlink" title="3.2.6临时修改网络接口 enp0s3 为  内部区域（internal）"></a>3.2.6临时修改网络接口 enp0s3 为  内部区域（internal）</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --zone=internal --change-interface=enp03s</div></pre></td></tr></table></figure>
<h3 id="3-2-7永久修改网络接口-enp0s3-为-内部区域（internal）"><a href="#3-2-7永久修改网络接口-enp0s3-为-内部区域（internal）" class="headerlink" title="3.2.7永久修改网络接口 enp0s3 为  内部区域（internal）"></a>3.2.7永久修改网络接口 enp0s3 为  内部区域（internal）</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --permanent --zone=internal --change-interface=enp03s</div></pre></td></tr></table></figure>
<h1 id="4-服务管理"><a href="#4-服务管理" class="headerlink" title="4.服务管理"></a>4.服务管理</h1><h2 id="4-1显示服务列表"><a href="#4-1显示服务列表" class="headerlink" title="4.1显示服务列表"></a>4.1显示服务列表</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --get-services</div><div class="line">RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server</div></pre></td></tr></table></figure>
<h3 id="4-1-1允许-ssh-服务通过"><a href="#4-1-1允许-ssh-服务通过" class="headerlink" title="4.1.1允许 ssh 服务通过"></a>4.1.1允许 ssh 服务通过</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --<span class="built_in">enable</span> service=ssh</div></pre></td></tr></table></figure>
<h3 id="4-1-2禁止ssh服务通过"><a href="#4-1-2禁止ssh服务通过" class="headerlink" title="4.1.2禁止ssh服务通过"></a>4.1.2禁止ssh服务通过</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --<span class="built_in">disable</span> service=ssh</div></pre></td></tr></table></figure>
<h3 id="4-1-3临时允许-samba-服务通过-600-秒"><a href="#4-1-3临时允许-samba-服务通过-600-秒" class="headerlink" title="4.1.3临时允许 samba 服务通过 600 秒"></a>4.1.3临时允许 samba 服务通过 600 秒</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --<span class="built_in">enable</span> service=samba --timeout=600</div></pre></td></tr></table></figure>
<h3 id="4-1-4显示当前服务"><a href="#4-1-4显示当前服务" class="headerlink" title="4.1.4显示当前服务"></a>4.1.4显示当前服务</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --list-services</div></pre></td></tr></table></figure>
<h3 id="4-1-5添加-http-服务到内部区域（internal）"><a href="#4-1-5添加-http-服务到内部区域（internal）" class="headerlink" title="4.1.5添加 http 服务到内部区域（internal）"></a>4.1.5添加 http 服务到内部区域（internal）</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --permanent --zone=internal --add-service=http</div><div class="line">firewall-cmd – reload</div></pre></td></tr></table></figure>
<h3 id="4-1-6将一个服务加入到分区，例SMTP"><a href="#4-1-6将一个服务加入到分区，例SMTP" class="headerlink" title="4.1.6将一个服务加入到分区，例SMTP"></a>4.1.6将一个服务加入到分区，例SMTP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --zone=work --add-service=smtp</div></pre></td></tr></table></figure>
<h3 id="4-1-7将一个服务从工作区移除，例SMTP"><a href="#4-1-7将一个服务从工作区移除，例SMTP" class="headerlink" title="4.1.7将一个服务从工作区移除，例SMTP"></a>4.1.7将一个服务从工作区移除，例SMTP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --zone=work --remove-service=smtp</div></pre></td></tr></table></figure>
<h1 id="5-端口管理"><a href="#5-端口管理" class="headerlink" title="5.端口管理"></a>5.端口管理</h1><h2 id="5-1打开端口"><a href="#5-1打开端口" class="headerlink" title="5.1打开端口"></a>5.1打开端口</h2><h3 id="5-1-1打开-443-tcp-端口在内部区域（internal）"><a href="#5-1-1打开-443-tcp-端口在内部区域（internal）" class="headerlink" title="5.1.1打开 443/tcp 端口在内部区域（internal）"></a>5.1.1打开 443/tcp 端口在内部区域（internal）</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --zone=public --add-port=443/tcp --permanent</div></pre></td></tr></table></figure>
<h3 id="5-1-2端口转发"><a href="#5-1-2端口转发" class="headerlink" title="5.1.2端口转发"></a>5.1.2端口转发</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div></pre></td><td class="code"><pre><div class="line">首先启用伪装（masquerade），然后把外部区域（external）的 22 端口转发到 3777。</div><div class="line">firewall-cmd --zone=external --add-masquerade</div><div class="line">firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3777</div><div class="line">转发 22 端口数据至另一个 ip 的相同端口上</div><div class="line">firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100</div><div class="line">转发 22 端口数据至另一 ip 的 2055 端口上</div><div class="line">firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100</div></pre></td></tr></table></figure>
<p>直接接口设置 firewalld 有一个被称为“direct interface”（直接接口），它可以直接通过 iptables、ip6tables 和 ebtables 的规则。它适用于应用程序，而不是用户。firewalld 保持对所增加项目的追踪，所以它还能质询 firewalld 和发现由使用直接端口模式的程序造成的更改。直接端口由增加 –direct 选项到 firewall-cmd 命令来使用。直接端口模式适用于服务或者程序，以便在运行时间内增加特定的防火墙规则。这些规则不是永久性的，它们需要在每次通过 D-BU S 从 firewalld 接到启动、重新启动和重新加载信息后运用。<br>例如添加端口 tcp 9999 端口。<br>firewall-cmd –direct –add-rule ipv4 filter INPUT 0 -p tcp –dport 9999 -j A</p>
<h1 id="6-在防火墙配置文件中创建自己的服务"><a href="#6-在防火墙配置文件中创建自己的服务" class="headerlink" title="6.在防火墙配置文件中创建自己的服务"></a>6.在防火墙配置文件中创建自己的服务</h1><p>首先假设需要建立的服务是 RTMP（RTMP 是 Real Time Messaging Protocol（实时消息传输协议）的首字母缩写。该协议基于 TCP）端口号 1935。在 /etc/firewalld/services/ 目录中rtmp.xml</p>
<h2 id="6-1rtmp-xml文件内容"><a href="#6-1rtmp-xml文件内容" class="headerlink" title="6.1rtmp.xml文件内容"></a>6.1rtmp.xml文件内容</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">&lt;?xml version=<span class="string">"1.0"</span> encoding=<span class="string">"utf-8"</span>?&gt;</div><div class="line">&lt;service&gt;</div><div class="line">&lt;short&gt;rtmp services&lt;/short&gt;</div><div class="line">&lt;description&gt;RTMP Stream &lt;/description&gt;</div><div class="line">&lt;port protocol=<span class="string">"tcp"</span> port=<span class="string">"1935"</span>/&gt;</div><div class="line">&lt;/service&gt;</div></pre></td></tr></table></figure>
<p>每一个服务定义都需要一个简短的名字、描述和端口网络用于指定需要使用的协议、端口和模块名。然后把此服务加入防火墙规则中。<br><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">firewall-cmd --add-service=rtmp </div><div class="line">firewall-cmd --add-service=rtmp --permanent </div><div class="line">firewall-cmd – reload</div></pre></td></tr></table></figure></p>
<p>firewall-cmd –permanent –add-rich-rule=”rule family=’ipv4’ destination address=’118.184.191.7’ reject”</p>

        </div>
        <div id="post-footer">
            <div class="avatar" >
                <img src="/img/author.jpg" alt="avatar"/>
                <!-- 
                <a href="javascript:void(0)" class="high-song">high起来 &#128541;</a>
                 -->
                
                <a href="http://backup-miabon.oss-cn-hongkong.aliyuncs.com/img/alipay.jpg" target="_blank" class="donate fa">打赏小弟 &#128536;</a>
                
            </div>
            <ul class="author-profile-section">
                <li>
                  
                  作者:
                  
                    
                    <a href="/about.html">MIAbon</a>
                </li>
                
                <li>发表日期: <span>2017-05-24  00:00:00</span></li>
                
                <li>最后编辑日期: <span>2017-11-23  08:23:00</span></li>
                
                <li class="post-category">
                    文章分类:
                    
                    <a href="/categories/admin/">admin</a>
                    
                </li>
                <li class="post-tags">
                    文章标签:
                    
                    <a href="/tags/linux/">linux</a>
                    
                    <a href="/tags/firewalld/">firewalld</a>
                    
                </li>
                
                <li> 版权声明: <a href="https://creativecommons.org/licenses/by-nc-nd/3.0/" target="_blank">
知识共享署名-非商业性使用-禁止演绎 3.0 未本地化版本许可协议（CC BY-NC-ND 3.0）
</a></li>
                
            </ul>
            <div id="donate-wrap">
                
                
                
                <img src="http://www.geasslinks.com/img/alipay.jpg" alt="支付宝付款" class="donate-img">
                
                
            </div>
        </div>
    </article>
    <div class="article-nav">
        
        <a href="/2017/08/30/docker_swarm/" class="pre-post fa fa-caret-left">docker swarm</a>
        
        
        <a href="/2017/05/15/k8s1.7/" class="next-post fa">Kubernetes1.7</a>
        
    </div>
    
    <div id="comments">
        

<script>
  gitment.render(document.getElementById("comments"));
</script>



    </div>
    
</div>


    </div>
    <footer id="footer">
    
    <div class="social">
        
        <a href="https://www.example1.com" class="fa fa-free-code-camp" target="_blank" title="freecodecamp"></a>
        
        <a href="https://github.com/werewolf2101" class="fa fa-github" target="_blank" title="Follow me~"></a>
        
        <a href="mailto:werewolf2101@gmail.com" class="fa fa-email" target="_blank" title="Email"></a>
        
    </div>
    
    <div>
        
        <a href="/" class="copyright-links">MIAbon</a>&copy;2015 - 2018.All Rights
        Reserved.
    </div>
    <p>Powered by <a href="https://hexo.io" class="copyright-links" target="_blank">Hexo</a> | Theme by <a
                href="https://github.com/GeekaholicLin" class="copyright-links" target="_blank">GeekaholicLin</a>
    </p>
    
    
    <p>
        <span id="busuanzi_container_site_uv" class="fa fa-bar-chart">
        欢迎第<span id="busuanzi_value_site_uv"><i class="fa fa-spinner fa-spin"></i></span>位小伙伴~
        </span>
    </p>
    
</footer>

</div>
    <ul id="tools">
    <li class="totop-btn fa fa-angle-up"></li>
    <li class="exchange-btn fa fa-exchange"></li>
  
    <li class="toc-btn fa fa-list-ul"></li>
    
    

    
</ul>
<p id="process"></p>
<div id="search-overlay">
    <div class="search-area-wrap">
        <div id="search-area">
            <div class="input-wrap focus">
                <i class="fa fa-search" aria-hidden="true"></i>
                <input id="search-input" autofocus autocomplete="off" type="text"
                       placeholder="search this website..."/>
            </div>
            <ul id="search-result">
                <li class="load-first"><i class="fa fa-spinner fa-pulse"></i></li>
            </ul>
        </div>
    </div>
</div>

    <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#1-启动服务"><span class="toc-number">1.</span> <span class="toc-text">1.启动服务</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#2-检查防火墙状态"><span class="toc-number">2.</span> <span class="toc-text">2.检查防火墙状态</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#3-区域管理"><span class="toc-number">3.</span> <span class="toc-text">3. 区域管理</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#3-1网络区域简介"><span class="toc-number">3.1.</span> <span class="toc-text">3.1网络区域简介</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#3-2显示设置查看区域"><span class="toc-number">3.2.</span> <span class="toc-text">3.2显示设置查看区域</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#3-2-1-显示支持的区域列表"><span class="toc-number">3.2.1.</span> <span class="toc-text">3.2.1 显示支持的区域列表</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-2-2设置为家庭区域"><span class="toc-number">3.2.2.</span> <span class="toc-text">3.2.2设置为家庭区域</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-2-3查看当前的区域"><span class="toc-number">3.2.3.</span> <span class="toc-text">3.2.3查看当前的区域</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-2-4设置当前的区域的接口"><span class="toc-number">3.2.4.</span> <span class="toc-text">3.2.4设置当前的区域的接口</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-2-5显示所有公共区域（public）"><span class="toc-number">3.2.5.</span> <span class="toc-text">3.2.5显示所有公共区域（public）</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-2-6临时修改网络接口-enp0s3-为-内部区域（internal）"><span class="toc-number">3.2.6.</span> <span class="toc-text">3.2.6临时修改网络接口 enp0s3 为  内部区域（internal）</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-2-7永久修改网络接口-enp0s3-为-内部区域（internal）"><span class="toc-number">3.2.7.</span> <span class="toc-text">3.2.7永久修改网络接口 enp0s3 为  内部区域（internal）</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#4-服务管理"><span class="toc-number">4.</span> <span class="toc-text">4.服务管理</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#4-1显示服务列表"><span class="toc-number">4.1.</span> <span class="toc-text">4.1显示服务列表</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#4-1-1允许-ssh-服务通过"><span class="toc-number">4.1.1.</span> <span class="toc-text">4.1.1允许 ssh 服务通过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-1-2禁止ssh服务通过"><span class="toc-number">4.1.2.</span> <span class="toc-text">4.1.2禁止ssh服务通过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-1-3临时允许-samba-服务通过-600-秒"><span class="toc-number">4.1.3.</span> <span class="toc-text">4.1.3临时允许 samba 服务通过 600 秒</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-1-4显示当前服务"><span class="toc-number">4.1.4.</span> <span class="toc-text">4.1.4显示当前服务</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-1-5添加-http-服务到内部区域（internal）"><span class="toc-number">4.1.5.</span> <span class="toc-text">4.1.5添加 http 服务到内部区域（internal）</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-1-6将一个服务加入到分区，例SMTP"><span class="toc-number">4.1.6.</span> <span class="toc-text">4.1.6将一个服务加入到分区，例SMTP</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-1-7将一个服务从工作区移除，例SMTP"><span class="toc-number">4.1.7.</span> <span class="toc-text">4.1.7将一个服务从工作区移除，例SMTP</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#5-端口管理"><span class="toc-number">5.</span> <span class="toc-text">5.端口管理</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#5-1打开端口"><span class="toc-number">5.1.</span> <span class="toc-text">5.1打开端口</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#5-1-1打开-443-tcp-端口在内部区域（internal）"><span class="toc-number">5.1.1.</span> <span class="toc-text">5.1.1打开 443/tcp 端口在内部区域（internal）</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#5-1-2端口转发"><span class="toc-number">5.1.2.</span> <span class="toc-text">5.1.2端口转发</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#6-在防火墙配置文件中创建自己的服务"><span class="toc-number">6.</span> <span class="toc-text">6.在防火墙配置文件中创建自己的服务</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#6-1rtmp-xml文件内容"><span class="toc-number">6.1.</span> <span class="toc-text">6.1rtmp.xml文件内容</span></a></li></ol></li></ol>


    <script src="/js/highsong.js"></script>



<script src="/js/search.js"></script>
<script type="text/javascript">
    //theme config datas
    var copyrightObj = {};
    copyrightObj.enable = 'true';
    copyrightObj.triggerCopyLength = '200';
    copyrightObj.appendText = '商业转载请联系作者获得授权,非商业转载请注明出处 © gasslinks.com';
    var leancloudObj = {};
    leancloudObj.enable = 'true';
    leancloudObj.className = 'blog';
    leancloudObj.limits = '5';
</script>
<script>
var _hmt = _hmt || [];
(function() {
  var hm = document.createElement("script");
  hm.src = "https://hm.baidu.com/hm.js?dfebe5842f5d4196471b84802392a4b2";
  var s = document.getElementsByTagName("script")[0]; 
  s.parentNode.insertBefore(hm, s);
})();
</script>
<script type="text/javascript">
    var search = {};
    var search_path = "search.xml";
    if (!search_path) {
        search_path = "search.xml";
    }
    search.path = "/" + search_path;
    search.func =  _ajax.init();
</script>
<script src="/js/app.js"></script>


</body>
</html>